On Mar 25, 2010, at 8:18 AM, János Löbb wrote:
> I thought that when I dedicate a file for the capture, the program
> will not run out of memory, but rather from time to time writes the
> captured data to this file.
dumpcap (the program that actually does the capturing) writes packets to the capture file as soon as they are captured; that's done through buffered I/O routines, so a small amount of packet data is buffered in memory so that larger writes can be done to the file, but that buffer is a fixed size (the size depends on the OS on which you're running).
> Looks to me that Wireshark wants to read all the content
> into real memory
No, it doesn't; the raw capture data is kept in a file. See the OutOfMemory page Bill Meier mentioned in his mail for where Wireshark/TShark use memory. I suspect a significant amount of memory is used to do packet reassembly; if we can make random access to files, including compressed files, efficient, we might be able to store less of the reassembled data permanently.
